nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is there a line of defense against Distributed Reflective attacks?

From: "Christopher L. Morrow" <chris () UU NET>
Date: Fri, 17 Jan 2003 04:11:30 +0000 (GMT)


On Thu, 16 Jan 2003, hc wrote:





Because syn cookies are available on routing gear??? Either way syn
cookies are not going to keep the device from sending a 'syn-ack' to the
'originating host'.



True.. At least it will have some stop in the amount of attacks.

It is quite unfortunate that it is impossible to control the 'ingress'
point of attack flow. Whenever there is a DoS attack, the only way to
drop it is to null route it (the method you have devised) over BGP
peering, but that knocks the victim host off the 'net... :-(



Sure, but this like all other attacks of this sort can be tracked... and
so the pain is over /quickly/ provided you can track it quickly :) Also,
sometimes null routes are ok.
Previous By Date Next
Previous By Thread Next

Current thread: